Biometric Risks You Need To Know About Before Using MFA

Biometric Risks You Need To Know About Before Using MFA

You’ve probably already seen people use facial recognition to log in with their iPhone. That trend tells us that introducing biometric or MFA authentication will probably not come as a shock in the workplace. However, you need to understand and manage implementation risks before you use this authentication method.

Putting Biometric Authentication Risk in Context

To understand biometric authentication’s risks, we need to put it in the right context. It might feel new to your organization, but biometric authentication devices such as fingerprint readers have been around for years. In 2001, police in Florida used large-scale facial recognition scanning to detect threats at the Super Bowl. Thousands of Canadian travelers used the NEXUS card to enter the United States using iris recognition technology. These examples show that biometric technology is far from new. In the smartphone era, biometric authentication has finally become inexpensive, so it’s a realistic option for companies.

However, your company likely doesn’t have the scale and expertise of government organizations. If you’re going to implement biometrics, keep some important issues in mind.

  • Privacy protection: To earn participation in a biometric program, you must demonstrate to employees that your systems for protecting their personal data are sound. Your existing privacy protections may not be robust enough to protect biometric data.
  • Reliability testing: Biometric authentication is far from foolproof. In 2018, the FBI forced a suspect to unlock an iPhone X using Face ID. Such articles should cause us to reassess the vulnerabilities of biometric authentication.
  • Multi-Factor Authentication vs. Single Factor Authentication: Relying exclusively upon biometric authentication isn’t a good move. To reduce risk, combine biometric authentication with another authentication method such as a password, SMS, or hardware devices.
  • Identity and Access Management Governance maturity: Some may view biometric identification such as fingerprints and iris recognition as infallible. That’s a flawed perspective, and it might lead to overconfidence in what biometrics can achieve. Instead, we recommend developing and continuously optimizing an identity and access management framework.

Three Biometric Risks to Manage Before Your Launch an MFA Biometric Program

Before we look at possible solutions, let’s identify the biometric risks. Note that managing one of these risks isn’t enough. They all interact together to impact the success or failure of your biometric MFA program.

1. Biometric Stability Risk

Biometric authentication is based on certain assumptions. You assume that employee fingerprints aren’t going to change. However, suppose employees are injured and some of their fingerprints are no longer readable. Your biometric program needs to recognize that fact and provide for alternative authentication processes, such as using a YubiKey.

Resource: Did you know that fingerprint readers can be fooled? Since we leave fingerprints on most objects we touch, it’s easy for a determined attacker to gain a copy of fingerprints and use them for authentication. Need proof? In 2019, the fingerprint reader in the OnePlus 7 Pro smartphone was hacked in minutes, “using just a hot-glue gun, tinfoil, and some white school glue.”

2. Change Management Risk

Adopting a new technology or practice means changing employee behavior. The challenges of seeking out employee personal information such as iris scans, facial images, and more elevate this risk higher. When employee adoption for biometric authentication is uneven, the organization will receive limited benefits.

Resource: You can reduce change management risk by engaging your company’s stakeholders in the implementation process. Given that biometrics involves sensitive employee data, we recommend engaging the human resources department. Find out how to win HR’s support in identity and access management projects with our post: Win HR Support for Your User Provisioning Project in 5 Steps.

3. Governance Risk

Earlier, we mentioned the concern that some people overestimate what biometric authentication can deliver. Yes, it’s powerful. It can help reduce fraud. However, this authentication technology doesn’t manage itself. The quality of reporting, training, and oversight you exercise over it matters. If you have poorly managed governance, you face higher governance risk.

Options to Improve the Reliability of Your Multi-Factor Authentication (MFA) Program

Start with admitting the reality that there’s no silver bullet in MFA. It would be best if you had a solid process and robust software to make MFA and biometrics effective. That’s where Avatier’s identity and access management software solutions help.

With Identity Anywhere, you have more authentication options than ever before. Starting in May 2019, we now offer support for FIDO2 Web AuthN for password management. Even better, Avatier also offers support for security keys such as YubiKey. Here’s what that means for your organization. You can introduce much stronger authentication to protect your employees and customers.

Instead of asking employees to memorize complicated 50-character passwords, you can use MFA. For instance, require a combination of fingerprint reader and passwords for login to your finance systems. However, fingerprint readers aren’t always a practical solution. That’s why we also support other ways to integrate MFA, such as equipping people with USB keys as an authentication option.

Welcome to the Passwordless Authentication World

In the technology industry, we’ve relied upon passwords to authenticate users for decades. That age may be coming to an end. Passwords can be written down, copied, and distributed. Users struggle to remember passwords, which is why we see so many cases of password reuse disease. With Identity Anywhere’s new MFA biometric authentication options, you can preserve security without relying exclusively upon passwords.

Written by Nelson Cicchitto